CVE-2026-12102
Received Received - Intake
Insecure Direct Object Reference in UsersWP WordPress Plugin

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: Wordfence

Description
The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'user_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with editor-level access and above, to reset and permanently delete the avatar or banner image of any arbitrary user, including administrators, by clearing their avatar_thumb or banner_thumb metadata in the uwp_usermeta table.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-12102
EUVD
EUVD-2026-37860
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
ayecode userswp to 1.2.63 (inc)
ayecode userswp 1.2.64
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The immediate mitigation step is to update the UsersWP plugin to version 1.2.64 or later, where the vulnerability has been patched by enforcing proper nonce verification and user permission validation.

If updating immediately is not possible, restrict editor-level and higher user access temporarily to trusted users only, as the vulnerability requires editor-level privileges.

Additionally, monitor and audit user profile changes, especially avatar and banner image resets, to detect any unauthorized activity.

Executive Summary

CVE-2026-12102 is a security vulnerability in the UsersWP WordPress plugin (versions up to and including 1.2.63) that allows authenticated users with editor-level access or higher to exploit an Insecure Direct Object Reference (IDOR) flaw. This occurs because the 'user_id' parameter lacks proper validation, enabling these users to reset and permanently delete the avatar or banner images of any arbitrary user, including administrators, by clearing specific metadata fields in the database.

The vulnerability was caused by insufficient nonce verification, which was fixed in version 1.2.64 by modifying nonce generation to include the user ID and enforcing stricter access controls and permission validation.

Impact Analysis

This vulnerability allows an attacker with editor-level privileges to maliciously remove or reset profile images (avatars or banners) of any user on the WordPress site, including administrators. While it does not allow data theft or site takeover, it can lead to defacement or disruption of user profiles, potentially damaging user trust and site integrity.

Because the attacker can affect administrator profiles, it could also be used as part of a broader attack strategy to undermine administrative presence or cause confusion among users.

Detection Guidance

Detection of this vulnerability involves identifying if your WordPress site is running the UsersWP plugin version 1.2.63 or earlier, which is vulnerable to an insecure direct object reference via the 'user_id' parameter.

You can check the installed plugin version by running the following WP-CLI command:

  • wp plugin list --status=active | grep userswp

Additionally, to detect exploitation attempts, you can monitor web server logs for suspicious POST requests containing the 'user_id' parameter targeting avatar or banner image reset endpoints.

For example, use grep to search for such requests in your access logs:

  • grep -i 'user_id' /var/log/apache2/access.log | grep -E 'avatar|banner'

Also, monitoring database changes to the uwp_usermeta table for unexpected clearing of avatar_thumb or banner_thumb metadata can indicate exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12102. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart